Xembly’s Data Privacy & Security
At Xembly, we take the responsibility of managing your data privacy and security very seriously. We earn our access to manage your calendar and video call data everyday by creating and enforcing rigorous internal policies designed to keep your data safe.
Frequently Asked Questions
Xembly is SOC 2 Type I certified and has successfully passed a third-party audit from StrikeGraph. We’re fully committed to ensuring strong internal control practices and security frameworks are in place to secure our customer’s data and privacy. If you would like to request a copy of our SOC 2 report, please email us at legal@xembly.com
Xembly will ask to integrate with your Google Calendar for purposes of finding and making times for meetings and focused work as well as your chosen videocall platform(s): Zoom or Google Meet. Xembly works through Google and Zoom’s first party authentication, so your access is secured through those entities.
We may share your personal information with the following parties and as otherwise described in this Privacy Policy or at the time of collection.
Other Users. We may share feedback you provide regarding others who are identified as invitees/participants in your calendar meetings with such individuals. By default, we do not attribute your name to any feedback you provide related to other users and will not share your feedback with any other user unless at least one other person provides feedback related to such person.
Affiliates. We may share your personal information with our corporate parent, subsidiaries, and affiliates, for purposes consistent with this Privacy Policy.
Service providers. We may share your personal information with third parties that provide services on our behalf or help us operate the Service or our business (such as data storage (using AWS), hosting, information technology, customer support, email delivery, marketing, consumer research and website analytics).
Marketing, advertising, and other uses. We, our service providers and our third-party advertising partners may collect, sell and/or use your personal information for marketing and advertising purposes, as well as other uses, such as training models for AI, communication, and other data model training. For example, our third-party advertising partners may use cookies and similar technologies to collect information about your interaction (including the data described in the automatic data collection section above) with the Service, our communications and other online services over time, and use that information to serve online ads that they think will interest you. This is called interest-based advertising. We may also share information about our users with these companies to facilitate interest-based advertising to those or similar users on other online platforms. As another example, Xembly and our partners may utilize your data, gathered directly by Xembly or through cookies and other data collection technologies, to analyze your usage of the Service. This information helps to create new products and enhance existing services. Additionally, we may share user information with our partners to support the development of other products that require similar AI training across different platforms.
Linked third-party services. If you log into the Service with, or otherwise link your Service account to a third-party service (such as Okta), we may share your personal information with that third-party service. The third party’s use of the shared information will be governed by its privacy policy and the settings associated with your account with the third-party service.
Professional advisors. We may disclose your personal information to professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us.
For compliance, fraud prevention and safety. We may share your personal information for the compliance, fraud prevention and safety purposes.
Business transfers. We may sell, transfer or otherwise share some or all of our business or assets, including your personal information, in connection with a business transaction (or potential business transaction) such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution.
Xembly operates on a principle of least privilege. It collects basic user information (name, email address), limited Calendar Data (meeting title, attendees, frequency, start/end times, video conferencing provider). Xembly does NOT read or store meeting description, attachment information, or have access to Google Drive. Optionally – at the user’s request – Xembly captures meeting recordings to automatically generate meeting notes.
Xembly maintains a strict data management policy as part of its SOC2 compliance. Selected callouts from its data management policy:
- Data is encrypted in transit with TLS 1.3; and at rest with AES-256 encryption.
- Encryption keys are rotated on a periodic basis.
- Data is logically separated by customer.
- All data must be classified according to our data classification policy.
- Any PII must be kept in its secured corporate network; only VPN accessible.Removable media is restricted.
Xembly stores calendar data (meeting title, attendees, frequency, start/end times, video conferencing provider) for the life of the user. For meeting notes (“Summaries”), storage is variable and based on customer preference.
For example, the Company can set a default preference to delete all meeting artifacts (video and transcript) for its employees at a specified period, including immediately after processing OR 2 days after, 1 week after, 30 days, etc. Individual users also have this same capability in their Settings controls (image to the right). If the user deletes their Xembly account, all data is hard deleted.
Xembly’s approach related to meeting notes – a feature it calls “Summary” – focuses on Security, Control and Compliance.
- Importantly, Summary is an Opt-In feature (the user default is Off).
- The Xembly meeting Organizer enables Summary by either manually switching it to “ON” or asking Xena (conversational assistant) to turn it ON / take notes for that event or series.
All attendees are notified that the meeting is being recorded in two separate moments:
- Pre-meeting: A note on their meeting invite before the meeting starts letting them know that recording is on (see image and disclaimer to the right).
- At meeting initiation: Each individual who joins the call hears and sees an announcement that the call is being recorded (this process happens via Zoom’s controls). If attendees are not comfortable, the meeting Organizer has full control to stop or pause the recording directly from the Zoom control panel.
Once the meeting is complete, Xembly processes the meeting through its AI pipeline and delivers it to the meeting Organizer. Only the meeting Organizer has control:
- Ability to edit / customize the notes.
- Ability to share the notes (or not).
If the Organizer shares notes, attendees are limited to read-only access.
If the Organizer shares notes, and meeting artifacts have not been deleted based on customer settings, all streaming video URLs for meeting recordings are signed with a limited Time-To-Live (TTL) of the duration of the meeting. This prevents any risk in case the URLs are inadvertently shared with people who should not have access.
If the Organizer shares notes, then Xembly helps to hold the team accountable to their work commitments:
- Xembly automatically posts Action Items to the appropriate owner’s (Xembly) Task Manager for completion.
- When posted to the owner’s Task Manager, Xembly then schedules block time to complete the action item. If the work is not completed during the assigned block time, Xembly will continue to move the designated block time until the item is completed (the user has marked it done). This approach has helped improve team performance and accountability to goals.
- Action item status is up-to-date for everyone to see.
Please reach out to legal@xembly.com